search cancel

Getting error "ACS_FAILED_PROCESS_FAILURE" and 500 in browser

book

Article ID: 188685

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Federation Services as SP (Service Provider) and when

the browser comes back to the Assertion Consumer page on our SP
(Service Provider) after having successfully authenticated at IdP
(Identity Provider), then the Federation Service returns error 500 to
the browser.

  https://mysp.sp.com/affwebservices/public/saml2assertionconsumer

  HTTP Status 500 - Internal Error occured while trying to process the
  request. Transaction ID:
  beea39ed-52f0ed02-c785bf98-7e237392-2a8392dd-f7 failed.

  The Federation Service shows error :

    "ACS_FAILED_PROCESS_FAILURE"

How can we fix this ?

Cause


The request ends with 500 error :


logs.saz

fiddler.saz :

Line 1 :

GET https://myidp.idp.com/sso/saml?SAMLRequest=pVHLboMwELznK5DvYDAkEAuQIkWRIqUPtVEPvUTGmMYN2MRrquTva1Ck9NJeuoc97MzOjmbz1WCP6kWcBwHWW7smFbNSqwIdre2BYiy%2BzNU6AEAH%2BmRZwHWHWd9PgDYfaRbPY3IYIWBd65BW8knjEGFxOSWmS8%2F2s9ro3dNeJpcFdkp4pCJvuy7QoWYJbzhbxiwlQrCsqpZN6IZknpE4Zsu6IgtHBRjEVoFlyhaIhCT0w8QP032Y0YTQOHlH3pswMHknQYi8S9cqKNBgFNUMJFDFOgHUcvq6ethRx6G90VZz3aJy5rnKFUR0OmS8jTYds7%2BvR0E0TWTtNxOVDgp6wWUjRX07Tp3e3wYYgDBjVqgclcYQfehzfDdyc%2FboVrfrZ%2B2yvf7TGy5nOf759%2FIb

  HTTP/1.1 200 OK
  Date: Tue, 07 Apr 2020 08:43:01 GMT
  Server: Apache

Line 2 :

POST https://mysp.sp.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8h1sr01srwIpDYqE1CRSSHPopVp2x81WeG1510n4%2B84aMDYhtFUjcWGYnffmvZnh%2FOIlXzlPUGlZqLEbDH3XAcULIdXPsfvt%2FmqQuBeTc83yFSnpHeiyUBqcGWgjFTPNo0djSk09L1%2FrcogfXuQey7JnWGqoniQH7ZX1ciW515RhGsP2JcdSdQ6V68xnY1eKIE6DlETRKAqCyCckJn4QR2GYno0wRe3A74ux%2B0OwiGdCM6ZF9qwFS5bLNPMxSkgYslQsyRm%2B0bqGudKGKTN2iU%2F8gR8N%2FPjeT2gUUj8Yxj757joPu%2FaJbR8FUZpuOh67daVowbTUVLEcNDWcLqbXXymm0rIqTMGLlTv59HEjEW0gK%2BeqqHJmTr%2B2ESkGWZNKQRlp1j30089bGS264%2BRrKcqBFMjE61JpqZV0YZipdZPdD10WApwHtqrhNKRusumi5uipdr1JC9YpvhViuqPXMxcgSRJCIoKejphmQUDewaZ%2FEuqdjGpqdWXHyofCt2CLevkLuNm%2B2QZvsOx89kcGwTA4YFArXQKXmQSxo4FE4PNm9bYYXhekD7xlc1moTNqC1qRrMI%2BFOK0Dz%2BkSWIUL26K%2BXXHGDDu6tJylIYtxEuzO4voy3OJmcUdJZ3VvCnOrbqtpZqB6NRPJfibuUIhSgh2c%2Fz5D3qSv3ZGuJl2fu65uhcBcIW2ith18AXQMDumHHfp%2F2Wbfv2ktsGMOqK2pJG95HUnB%2BAerx3ZCu911Uo6FD4vvft932O17WptHZU8A5OiF03x9a6MJHaXDOEqx%2FQWeESw1VwJejs7H5qaP7F9COxuHYiAUkjLwYl6rsP%2FtcoWG30FmFTl5LTjlNhXDnT17Ld7Rym%2Bl9BTsa7W%2FofuT2b2ruwWa%2FAY%3D

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 07 Apr 2020 08:43:02 GMT
  Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42

  HTTP Status 500 - Internal Error occured while trying to process the
  request. Transaction ID:
  137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed.

affwebserv.log :

  [2844/8752][Tue Apr 07 2020 12:20:59][AssertionConsumer.java][ERROR][sm-FedClient-02
  890] Transaction with ID: 1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496 failed. R
  eason: ACS_FAILED_PROCESS_FAILURE (, , )

FWSTrace.log :

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][authenticateUser][Passing response message through login call [CHECKP
  OINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication
   failed.]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [AssertionConsumer.java][redirectLoginFailure][AuthReason=48]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

The Policy Server consumes successfully the assertion, but it finds 2
users with the same mail attribute, and as such, it cannot disambiguate
the user and it fails :

smtracedefault.log<SM2> :

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmMessage.cpp:557][CSmMessage::Pars
  eAgentMessage][s17816/r365][][][][][][][][][][][][][][][][][][][1280942c-0033dc38-c6
  85a3fc-98cec5cc-6a0824bb-496][Receive request attribute 221, data size is 48][][][][
  ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][Saml2Validator.java][checkAssertion
  ][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496][][][][][][][][][][][][][][][][][
  ][][][Assertion not rejected(id179327112032433342074115472): POST binding request, s
  ig processing disabled][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][
  ][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmAuthSaml.cpp:1478][SmAuthenticate
  ][][][][][][][][][][][][][][][][][][][][][Search Pattern: [email protected]][][][][][
  ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsDir.cpp:66][CSmDsDir::CSmDsDir]
  [][][][][][][][][][][][][][][][][][][About to initialize directory, Oid='0e-e7d7cd6d
  -55w2-4ffb-9e48-19e092c03805', Name='myspstore'][][Start of call InitDir.][
  ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsLdapProvider.cpp:1901][CSmDsLda
  pProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][search filter is : (&
  (|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organiza
  tion)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfU
  niqueNames)(objectclass=group))([email protected]))][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.223][14:21:00][3056][3544][SmDsLdapProvider.cpp:2344][CSmDsLda
  pProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Base: 'ou=postqa,dc=
  tenants,dc=home', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOr
  gPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=group
  OfNames)(objectclass=groupOfUniqueNames)(objectclass=group))([email protected]))'.
  Status: 2 entries.][][Ldap Search callout succeeds.][][][][][][][][][][][
  ][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

  [04/07/2020][14:21:00.223][14:21:00][3056][3544][SmAuthSaml.cpp:2315][SmAuthenticate
  ][][][][][][][][][][][][][][][][][][][][][User directory : 'myspstore', ret
  urned more than one user for search: '[email protected]'. Failed to disa
  mbiguate user uniquely. Returning user not found status code.][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.223][14:21:00][3056][3544][Sm_Auth_Message.cpp:4902][CSm_Auth_
  Message::SendReply][s17816/r365][samlidp:myidp][][][][samlidp:myidp][samlidp:myidp]
  [myspstore][][][][][][][][][][][][][** Status: Authentication Attempt 
  Failed. ][][][][][][48][][samlidp:mysp-idp-partnership][][][][][][][][][06-56351236-
  84b4-4ff2-82f2-0f61f9f1be6e][][][][][][][][][][][][][][][][][][][][][]

You should insure that users from the User Directory are uniques !

Environment


  CA Access Gateway (SPS) 12.8SP0 on Windows 2016;

  Policy Server 12.8SP1 on Windows 2016;

Resolution


- In User Directory 


     myspstore 10.0.0.1:10000

  insure that only 1 user has attribute :

     [email protected]

  to solve this issue;